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(54) METHOD SYSTEM AND SERVER FOR IMPLEMENTING DHCP ADDRESS SECURITY 
ALLOCATION 



(57) A nnethod and systenn for innplennenting DHCP 
address security allocation and authentication server. 
The core of the invention is that DHCP client end send 
the discovery nnessage through access network; when 
the access network side acquires the identification infor- 
nnation such as the port infornnation of said DHCP client 
end and the like, and authenticates it based on said iden- 
tification infornnation; finally, DHCP server only allocates 



the address infornnation for the authorized DHCP client 
end. Therefore, the invention may perform accessing au- 
thentication for user according to the location information, 
and only allocates the address for the legal user termi- 
nals, thereby it enhances the security for allocating ad- 
dress through DHCP manner. Also, in the invention, the 
address is managed unifiable by the AAA server, or al- 
locates the address after the AAA server authenticates 
successfully. 
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Description 

Field of the Invention 

[0001] The present invention relates to the technical 5 
field of network connnnunications, in particular, to a nneth- 
od, a systenn and a server for realizing a secure assign- 
nnent of a Dynamic Host Configuration Protocol (DHCP) 
address. 

10 

Background of the Invention 

[0002] As access technologies such as ADSL (Asynn- 
nnetrical Digital Subscriber Line), Ethernet beconne nnore 
and nnore nnature, broadband access beconnes nnore and ^5 
nnore popular; and IPTV (Internet Protocol Television) 
video and VoIP (Voice over Internet protocol) services 
developed based on broadband access network beconne 
nnore and nnore abundant. The developnnent of each 
service needs to ennploy a dedicated ternninal; for exann- 20 
pie, video service needs to use STB (Set Top Box), voice 
service needs to use IAD (Integrated Access Device). 
Each dedicated ternninal needs to obtain a local address 
before a service is carried out, and then each service 
nnay be carried out using the local address. 25 
[0003] In a connnnunication network, each ternninal 
usually obtains an IP (Internet Protocol) address based 
on DHCP protocol. However, in a traditional online serv- 
ice, PPPoE (Point-to-Point Protocol over Ethernet) is 
usually ennployed, and an AAA (Authentication, Author- 30 
ization and Accounting) server is needed to authenticate 
an access subscriber and assign the IP address. Usually, 
The AAA server nnay be an RADIUS (Rennote Authenti- 
cation Dial In UserService) server or other authentication 
servers. 35 
[0004] Figure 1 shows a structure of a network conn- 
nnunication systenn in which an authentication is per- 
fornned by an RADIUS server and the IP address is ob- 
tained via a DHCP server. 

[0005] DHCP server is a server for nnanaging IP ad- 
dresses and is adapted to respond to an address assign- 
nnent request fronn a connputer and assign an appropriate 
IP address to the connputer. 

[0006] DHCP client is a ternninal adapted to obtain net- 
work parameters such as the IP address using DHCP ^5 
protocol, including computer, STB and IAD. 
[0007] RADIUS server is adapted to manage the ac- 
count and password of a subscriber and perform an au- 
thentication to an access subscriber. 

[0008] BRAS (Broadband Remote Access Server) is 50 
adapted to manage the access of a broadband subscrib- 
er; for a PPPoE subscriber, the BRAS acts as an RADIUS 
client and initiates an authentication request to the RA- 
DIUS server; and for a DHCP subscriber, the BRAS im- 
plements the DHCP relay function 55 
[0009] Access Network is an intermediate network be- 
tween the subscriber household and the BRAS. 
[001 0] Access Node is a device connecting with a sub- 



scriber line directly in an access network, such as ADSL 
access device DSLAM (Digital Subscriber Line Access 
Multiplexer). 

[001 1 ] OSS (Operations Support Systems) is a system 
for the operator to release and manage a service. 
[0012] In Figure 1, a DHCP client such as STB and 
IAD may be assigned with a corresponding IP address 
using DHCP protocol by a DHCP server disposed in the 
network. 

[001 3] The specific process in which each DHCP client 
of Figure 1 obtains the address is as shown in Figure 2, 
including the following steps. 

[0014] Step 21: A DHCP client switches on, sends a 
DHCP Discovery message to search a server capable 
of providing the DHCP service. 

[0015] Step 22: As a DHCP relay, a BRAS relays the 
DHCP Discovery messagetothe designated DHCP serv- 
er. 

[001 6] Step 23: The DHCP server returns a DHCP Of- 
fer message to indicate that the DHCP server is capable 
of assigning an IP address to the client. 
[0017] Step 24: The DHCP client sends a DHCP Re- 
quest message and the BRAS relays the DHCP request 
message to the DHCP server. 

[0018] Step 25: The DHCP server assigns an appro- 
priate IP address and returns a DHCP Reply message. 
[0019] Therefore, the DHCP client may obtain the IP 
address, and thus access the network and obtain the 
network service. 

[0020] It can be seen from the above DHCP address 
assignment process that: during the process in which the 
DHCP client obtains the I P address in a DHCP mode, an 
invalid subscriber may easily obtain the corresponding 
IP address and thus obtain the network service. There- 
fore, the problem that a hacker maliciously uses up the 
IP address resources and attacks a network is easy to 
occur. Moreover, after the hacker attacks the network, 
the hacker cannot be traced. 

[0021 ] Additionally, the operator needs to use a DHCP 
serverto manage the IP address of the user of the DHCP 
client and use an RADIUS server to manage the IP ad- 
dress of the user of the PPPoE client. As a result, there 
exists two sets of IP address resource management 
mechanisms, the data is decentralized, and the manage- 
ment cost is high. 

Summary of the Invention 

[0022] In view of the above problems in the prior art, 
an object of the present invention is to provide a method, 
a system and a server for realizing a secure assignment 
of a DHCP address. And therefore the security of the 
address assignment process of the DHCP server may 
be effectively guaranteed. 

[0023] The object of the present invention is realized 
by the following technical solutions. 
[0024] The present invention provides a method for 
realizing a secure assignment of DHCP address, includ- 
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ing: 

[0025] A. sending, by a DHCP client, a DHCP Discov- 
ery nnessage via an access network; 
[0026] obtaining, by tine access network side, identifi- 
cation infornnation of tine DHCP client and perfornning an 
authentication to the DHCP client based on the identifi- 
cation infornnation; and 

[0027] C) assigning, by a DHCP server, address to the 
DHCP client has passed the authentication. 
[0028] The identification infornnation includes: 
[0029] a port nunnber, a circuit nunnber and a connec- 
tion number of the DHCP client. 
[0030] The step B includes: 

[0031] deternnining, by an access node or an access 
server in the access network, the identification infornna- 
tion according to ingress port/circuit /connection infornna- 
tion of the DHCP Discovery nnessage. 
[0032] The step B includes: 

[0033] perfornning, by the access node or the access 
server in the access network, a validity authentication to 
the client according to the identification infornnation of the 
DHCP client and preconfigured identification infornnation 
for a valid subscriber. 
[0034] The step B includes: 

[0035] B1 . initiating, by the access node orthe access 
server in the access network, an authentication request 
to the authentication server using the identification infor- 
nnation of the client; and 

[0036] B2. perfornning, by the authentication server, 
the validity authentication to the client according to the 
identification infornnation saved for the valid subscriber. 
[0037] The present invention further provides a DHCP 
authentication server for realizing a secure assignnnent 
of DHCP address, including: 

[0038] a DHCP server nnodule, adapted to receive a 
DHCP request nnessage sent by a DHCP client via an 
access node or an access server and reply to the DHCP 
client with address assigned to a client has passed an 
authentication, the address being returned by an AAA 
server and received by an AAA client nnodule; 
[0039] aprotocol converting nnodule, adapted to obtain 
infornnation needed in AAA authentication in a DHCP Dis- 
covery nnessage of a corresponding DHCP client sent 
fronn the access node orthe access server, generate an 
AAA authentication nnessage, generate a DHCP Offer 
nnessage according to an authentication response nnes- 
sage received by the AAA client nnodule and send the 
DHCP Offer nnessage; and 

[0040] the AAA client nnodule, adapted to connnnuni- 
cate with the AAA server based on the AAA authentica- 
tion nnessage generated by the DHCP protocol convert- 
ing nnodule, obtain an authentication result on the DHCP 
client, and deliverthe authentication resultto the protocol 
converting nnodule and the DHCP server nnodule. 
[0041 ] The present invention further provides a DHCP 
authentication server for realizing a secure assignnnent 
of DHCP address, including: 

[0042] an authentication processing nnodule, adapted 



to obtain identification infornnation of a client initiating a 
DHCP process, perfornn a validity authentication to the 
client according to identification infornnation saved for a 
valid subscriber, and send a DHCP Discovery nnessage 
5 of the DHCP client has passed the validity authentication 
to the DHCP server; and 

[0043] a DHCP server, adapted to receive the DHCP 
Discovery nnessage sent by the authentication process- 
ing nnodule and send a DHCP Offer nnessage to the DH- 
CP client, and assign an address to a corresponding DH- 
CP client in an address pool of the DHCP server when 
the DHCP client sends a DHCP request nnessage. 
[0044] The presentinventionfurtherprovidesasystenn 
for realizing a secure assignnnent of DHCP address, in- 
f5 eluding a DHCP client, an access network and a DHCP 
authentication server; the DHCP client is adapted to conn- 
nnunicate with the DHCP authentication server via an ac- 
cess network to obtain an address; the DHCP authenti- 
cation server is adapted to perfornn a validity authentica- 
te tion to a DHCP Discovery nnessage of the DHCP client 
obtained by the access network, and assign an address 
to the DHCP client has passed the validity authentication. 
[0045] The present invention further provides a meth- 
od for realizing a secure assignment of DHCP address 
25 based on above system, including: 

[0046] C. receiving, by an access node or an access 
server, a DHCP Discovery message sent from a DHCP 
client, and inserting identification information of the client 
into the DHCP Discovery message and sending the DH- 
30 CP Discovery message to a DHCP authentication server; 
[0047] obtaining, by the DHCP authentication server, 
the identification information of the client from the DHCP 
Discovery message; and; 

[0048] performing, by the DHCP authentication server, 
35 a validity authentication to the client using the identifica- 
tion information, and only performing an address assign- 
ment process on the client has passed the validity au- 
thentication. 

[0049] The step E includes: 
40 [0050] performing, by the DHCP authentication server, 
the authentication to the DHCP client locally according 
to identification information saved for a valid subscriber, 
and sending the DHCP Discovery message of the client 
has passed the authentication for a DHCP server; and 
45 performing, by the DHCP server, an address assignment 
process. 

[0051] The present invention further provides a meth- 
od for realizing a secure assignment of DHCP address, 
including: 

50 [0052] F. receiving, by an access node or an access 
server, a DHCP Discovery message sent from a DHCP 
client, and inserting identification information of the client 
into the DHCP Discovery message and sending the DH- 
CP Discovery message to an DHCP authentication serv- 
55 er; 

[0053] G. obtaining, by the DHCP authentication serv- 
er, the identification information of the client from the 
message; 
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[0054] H. sending, by the DHCP authentication server, 
an authentication request nnessage to an AAA server us- 
ing the identification infornnation, and perfornning, by the 
AAA server, an authentication to the identification infor- 
nnation of the client and assigning address to the client 5 
has passed the authentication; 
[0055] or, 

[0056] sending, by the DHCP authentication server, 
the authentication request nnessage to the AAA server 
using the identification infornnation, and perfornning, by 
the AAA server, an authentication to the identification 
infornnation of the client; assigning, by the DHCP authen- 
tication server, the address to the client has passed the 
authentication after receiving an authentication pass in- 
fornnation. f5 
[0057] It can be seen fronn the above technical solu- 
tions of the present invention that, in the present inven- 
tion, an access authentication nnay be perfornned on a 
subscriber according to location infornnation, and IP ad- 
dresses are only assigned to a valid subscriber or a valid 20 
ternninal. Therefore, the security of address assignnnent 
in a DHCP nnode nnay be enhanced greatly. 
[0058] Moreover, in the present invention, addresses 
nnay be nnanaged by an RADIUS server unitedly, in other 
words, the DHCP server and the RADIUS server unitedly 25 
nnanages the IP addresses, thus the cost of network nnan- 
agennent nnay be lowered. In addition, the original secu- 
rity nneasures of the RADIUS server nnay be used to con- 
trol the nunnber of IP addresses to be obtained by a sub- 
scriber, so that the attack of nnalicious address use-up 30 
nnay be effectively prevented. Even if the network attack 
or other network security problenns occur, the physical 
location of the subscriber nnay be traced according to the 
IP address, so that a hacker may be effectively deterred 
fronn carrying out an attack activity. 35 
[0059] The present invention has good connpatibility, 
in other words, during the inn pi ennentation of the present 
invention, no extra interface and connnnand is added to 
the OSS systenn, and the service nnanagennent process 
on the user of the DHCP client is consistent with the orig- 
inal service release nnanagennent process on the PPPoE 
client. As a result, the investnnent of the operator nnay be 
protected. 

Brief Description of tlie Drawings 

[0060] Figure 1 is a structural representation of a 
broadband access systenn; 

[0061] Figure 2 is a schennatic diagrann showing a 
process in which a DHCP server obtains an address; 50 
[0062] Figure 3 is a structural representation of the DH- 
CP authentication server according to the present inven- 
tion; 

[0063] Figure 4 is another structural representation of 
the DHCP authentication server according to the present 55 
invention; 

[0064] Figure 5 is a structural representation of a sys- 
tenn according to the present invention; 



[0065] Figure 6 is a schematic diagram of a DHCP ad- 
dress assignment process based on the system shown 
in Figure 5; 

[0066] Figure 7 is schematic diagram of another DHCP 
address assignment process based on the system shown 
in Figure 5; 

[0067] Figure 8 is another structural representation 
system according to the present invention; and 
[0068] Figure 9 is a schematic diagram of a DHCP ad- 
dress assignment process based on the system shown 
in Figure 8. 

Detailed Description of the Embodiments 

[0069] The main concept of the present invention lies 
in that: during the process in which a DHCP client obtains 
an address from a DHCP server, a validity authentication 
process on the DHCP client is added, so that an invalid 
subscriber may be prevented from attacking the DHCP 
server. In addition, based on the above concept, the ad- 
dress management of the DHCP server and the authen- 
tication server may be united, thus it is easy to perform 
address management. The authentication server in- 
cludes an AAA server such as a RADIUS server. Option- 
ally, the authentication server may be other authentica- 
tion servers with the similar function. 
[0070] One embodiment of the present invention pro- 
vides a method for realizing a secure assignment of a 
DHCP address, mainly including the following. 
[0071] (1) A DHCP client sends a DHCP Discovery 
message via an access network. 
[0072] (2) The access server on the network side (such 
as BRAS and access node) determines identification in- 
formation of the DHCP client, such as the port number, 
VPI (Virtual path identifiers)/VCI (Virtual channel identi- 
fiers) and VLAN ID (Virtual Local Area Network ID), ac- 
cording to ingress port information of the DHCP Discov- 
ery message, and performs an authentication to the DH- 
CP client based on the identification information of the 
DHCP client and preconfigured identification information 
for a valid subscriber. 

[0073] Specifically, taking the RADIUS server as an 
example, the access node or the access server in the 
access network initiates an authentication request to the 
RADIUS server according to the identification informa- 
tion of the client, and the RADIUS server performs a va- 
lidity authentication to the client according to the identi- 
fication information saved for the valid subscribers. 
[0074] Optionally, a gateway specialized for an au- 
thentication may also be configured. The gateway per- 
forms a corresponding authentication according to con- 
figured information. 

[0075] (3) The DHCP Discovery message of the DHCP 
client having passed the authentication is sent to the DH- 
CP server, and the address is assigned to the DHCP 
client via the DHCP server. The specific address assign- 
ment process is the same as a conventional address as- 
signment process, and the repeat description thereof is 
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omitted. 

[0076] Moreover, a corresponding DHCP server witli 
an autlientication function nnay be configured in tine net- 
work, so tliat tine DHCP server nnay first perfornn an au- 
tlientication process after receiving a DHCP Discovery 
nnessage sentfronn a DHCP client, and the correspond- 
ing address will only be assigned afterthe authentication 
is passed. 

[0077] The present invention provides two kinds of DH- 
CP authentication servers with the authentication func- 
tion. Descriptions of the DHCP authentication servers 
will now be illustrated in conjunction with the drawings 
respectively. 

[0078] For the first kind of DHCP authentication server 
with the authentication function, the authentication for 
the DHCP client is innplennented by an authentication 
server, such as the RADIUS server. The specific struc- 
ture of the DHCP authentication server is as shown in 
Figure 3. With the RADIUS server in Figure 3 as an ex- 
annple, the DHCP authentication server specifically in- 
cludes a DHCP server nnodule, a protocol converting 
nnodule and an RADIUS client nnodule. 
[0079] The DHCP server nnodule is adapted to assign 
an I P address to the DHCP client has passed the authen- 
tication. Specifically, a DHCP request nnessage sent by 
a DHCP client via an access node or an access server 
is received, and corresponding IP address is assigned 
to the DHCP client by the DHCP server nnodule, wherein 
the IP address is returned by the RADIUS server for the 
client has passed the authentication and received by the 
RADIUS client nnodule. 

[0080] The protocol converting nnodule is adapted to 
obtain the infornnation needed by the RADIUS authenti- 
cation from the DHCP Discovery message of corre- 
sponding DHCP client sent from the access node or the 
access server, and generate a RADIUS authentication 
message for performing the authentication to the DHCP 
client. The protocol converting module also needs to re- 
spond to the DHCP client according to an authentication 
response message received by the RADIUS client mod- 
ule. Specifically, for the response message of the DHCP 
client has passed the authentication, the protocol con- 
verting module needs to generate a corresponding DH- 
CP Offer message and send the corresponding DHCP 
Offer message to the corresponding DHCP client to in- 
dicate that the corresponding IP address may be as- 
signed to the DHCP client. 

[0081] The RADIUS client module is adapted to com- 
municate with the RADIUS server based on the authen- 
tication message generated by the DHCP protocol con- 
verting module, so that the authentication process on a 
DHCP client is implemented. Specifically, the validity au- 
thentication may be performed according to the authen- 
tication rule configured in the RADIUS server, thus the 
authentication result on the DHCP client is obtained. The 
authentication result includes the IP address assigned 
to the client by the RADIUS server and needing to be 
delivered to the DHCP server module. And the response 



message of the DHCP client has passed the authentica- 
tion needs to be delivered to the protocol converting mod- 
ule for further processing, in other words, a DHCP Offer 
message is sent to the DHCP client. 

5 [0082] At this time, the DHCP authentication server 
operates in a gateway mode, and supports DHCP pro- 
tocol and RADIUS protocol. In terms of the DHCP client 
and the BRAS, the DHCP authentication server is the 
DHCP server, while in terms of the RADIUS server, the 

10 DHCP authentication server is the RADIUS client. 

[0083] The specific process is as follows. The DHCP 
authentication server processes a DHCP message for- 
warded via a DHCP relay and generates an RADIUS 
message to initiate an authentication to the RADIUS 

15 server according to the identification information of the 
client carried in the message. The RADIUS server deter- 
mines the validity of the subscriber according to precon- 
figured subscriber data to complete the authentication 
and assigning an I P address to the subscriber. The DHCP 

20 authentication server returns a DHCP message carrying 
the IP address assigned by the RADIUS to the DHCP 
client after receiving the authentication response mes- 
sage from the RADIUS server. Thus, the DHCP client 
obtains the IP address. 

25 [0084] For the second kind of DHCP authentication 
serverwith the authentication function, the authentication 
function is configured and implemented locally. The spe- 
cific structure of the DHCP authentication server is as 
shown in Figure 4, including an authentication processing 

30 module and a DHCP server module. 

[0085] The authentication processing module is adapt- 
ed to obtain the identification information of the DHCP 
client during initiating the DHCP process, perform a va- 
lidity authentication to the client according to the identi- 

35 fication information saved for valid subscribers, and then 
send an authentication result to the DHCP server mod- 
ule, whereinthe identification information of the valid sub- 
scriber is saved in a corresponding storage module (not 
shown). 

40 [0086] The DHCP server module is adapted to obtain 
the authentication result on the DHCP client from the 
authentication processing module, send a DHCP Offer 
messagetotheDHCPclientwith the authentication result 
of PASSED to indicate that the DHCP server may assign 

45 a corresponding I P address to the DHCP client, and then 
assign the corresponding IP address to the DHCP client 
afterthe DHCP client sends a DHCP request message. 
Thus, the function of the DHCP server is implemented. 
[0087] At this point, the DHCP authentication server 

50 operates in a server mode, corresponds to a DHCP serv- 
er with a secure authentication function, and may imple- 
ment the authentication and address assignment for a 
client independently. 

[0088] The above two kinds of DHCP authentication 
55 servers with the authentication function may be config- 
ured in any network in need of a DHCP server to realize 
the corresponding function of address assignment. 
[0089] The present invention further provides a corre- 
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spending system with a DHCP address assignment and 
autlientication function for realizing a secure assignment 
of a DHCP address. Tine structure of tine system is shown 
in Figure 5 and Figure 8 respectively, specifically includ- 
ing a DHCP client, an access network and a DHCP au- 
thentication server. The DHCP authentication server is 
adapted to perform a validity authentication to a DHCP 
Discovery message of the DHCP client obtained by the 
access network, and perform an address assignment to 
the DHCP client has passed the authentication. 
[0090] In the system according to the present inven- 
tion, the DHCP authentication server may perform the 
authentication to the DHCP client and assign a corre- 
sponding IP address in the following two modes. 
[0091 ] Mode 1 : As shown in Figure 5, the identification 
information of the DHCP client is sent to the RADIUS 
server in an authentication request message. The RA- 
DIUS server performs an authentication and assigns the 
corresponding I P address to the DHCP client, or the RA- 
DIUS server only performs the authentication and the 
corresponding IP address will be assigned by the DHCP 
server. Herein, the specific application of the present in- 
vention is only described by taking the RADIUS server 
as the authentication server, but the present invention is 
not limited hereto. 

[0092] Mode 2: As shown in Figure 8, the validity au- 
thentication is performed on the identification information 
of the DHCP client according to the identification infor- 
mation of the valid subscriber saved locally, and the DH- 
CP server may assign the corresponding IP address to 
the DHCP client has passed the authentication. 
[0093] Specifically, in the system, the access node and 
BRAS supportthe capture of a DHCP message and insert 
an option Option82 into the DHCP message, so that the 
DHCP authentication server may obtain the correspond- 
ing identification information of the DHCP client after re- 
ceiving the DHCP message. In the option Option82, sub- 
scriber location information, acting as the identification 
information, is identified. Specifically, the subscriber lo- 
cation information includes port information, VPI/VCI in- 
formation and VLAN ID. The option Option82 may be 
inserted into the DHCP message on the access node, or 
the option Option82 may be inserted into the DHCP mes- 
sage on the BRAS. 

[0094] The present invention further provides a corre- 
sponding method for realizing a secure assignment of a 
DHCP address based on the above system. A detail de- 
scription will now be illustrated below. 
[0095] Firstly, for example, the method will be illustrat- 
ed when the DHCP authentication server operates in the 
gateway mode and the authentication server is the RA- 
DIUS server. Specifically, the method is shown in Figure 
5, Figure 6 and Figure 7. 

[0096] As shown in Figure 5 and Figure 6, the method 
includes the following steps. 

[0097] Step 61 : When a subscriber opens an account, 
the operator adds a piece of subscriber data to an RA- 
DIUS server. The account is the subscriber location in- 



formation, the encoding mode is consistent with the op- 
tion Option82 inserted by the access node or the BRAS, 
and the MAC (Media Access Control) address of a ter- 
minal (STB, IAD) may be selectively recorded. 

5 [0098] Step 62: When the DHCP client needs to obtain 
the IP address, the DHCP client needs to send a DHCP 
Discovery message to the BRAS. 
[0099] Step 63: As a DHCP relay, the BRAS captures 
the DHCP message and inserts option Option82 into the 

10 message, and then sends the DHCP Discovery message 
carrying the subscriber location information to the DHCP 
authentication server. The subscriber location informa- 
tion, such as port information, VPI/VCI and VLAN ID, is 
identified in the option Option82. 

15 [0100] Step 64: The DHCP authentication server re- 
ceives the DHCP message relayed by the BRAS, ex- 
tracts the option Option82 and the MAC address of the 
terminal, generates an RADIUS protocol message and 
sends the RADIUS protocol message to the RADIUS 

20 server, wherein the account in the message is the content 
of option82, and the attribute of Calling-Station-ID in the 
message is the MAC address of the terminal. 
[01 01 ] The RADIUS server receives the authentication 
request and performs the authentication according to in- 

25 formation in a database, and determines the validity of 
the subscriber according to the account. Moreover, the 
RADI US server may determine the validity of the terminal 
according to the MAC address. If the authentication is 
passed, an I P address is assigned to the subscriber, and 

30 an authentication response message is returned, as de- 
scribed in Step 65. 

[01 02] Step 65: After the authentication is passed, the 
RADIUS server returns an authentication response mes- 
sage carrying the IP address assigned to the client, to 

35 the DHCP authentication server. 

[0103] After the DHCP authentication server receives 
the authentication response message, the DHCP au- 
thentication server extracts the IP address assigned by 
the RADIUS, and assigns an IP address to the DHCP 

40 client with a standard DHCP process, as described in 
subsequent steps. 

[0104] Step 66: After the DHCP authentication server 
receives the response message, the DHCP authentica- 
tion server sends a DHCP Offer message to the DHCP 
45 client. 

[0105] Step 67: After the DHCP client receives the DH- 
CP Offer message, the DHCP client sends a DHCP re- 
quest message to the DHCP authentication server. 
[0106] Step 68: The DHCP authentication server 

50 sends the IP address sent from the RADIUS server to 
the DHCP client via a DHCP Reply message. 
[0107] In the above Step 63, the process in which 
BRAS inserts the option Option82 is described. In prac- 
tical application, as shown in Figure 7, the option 

55 Option82 may be inserted by DSLAM, in other words, by 
the access node, while the BRAS only acts as a DHCP 
relay. Other processes are the same as those described 
above. 
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[0108] Inthe above process, if the RADIUS server only 
performs the authentication and the DHCP server as- 
signs corresponding IP addresses, the process of Step 
65 to Step 68 nnay be as follows. When the RADIUS 
server returns an authentication pass nnessage to the 
DHCP server, the DHCP server sends a DHCP Offer 
nnessage to the DHCP client, and a corresponding IP 
address will be assigned to the DHCPclientsubsequent- 
ly with the conventional address assignnnent process. 
[0109] Subsequently, for exannple, the nnethod is de- 
scribed in the case that the DHCP authentication server 
operates in a server mode, as shown in Figure 8 and 
Figure 9. 

[01 1 0] Step 91 : When a subscriber opens an account, 
the operator adds a piece of data to a DHCP authentica- 
tion server and records the subscriber location informa- 
tion, the encoding mode is consistent with the option 
Option82 inserted by the access node or the BRAS, and 
the MAC address of a terminal (STB, IAD) may be se- 
lectively recorded. 

[0111] Step 92: When a DHCP client needs to obtain 
the IP address, the DHCP client needs to send a DHCP 
Discovery message to the BRAS. 
[0112] Step 93: As a DHCP relay, the BRAS captures 
the DHCP message and inserts option Option82 into the 
message, and then sends the DHCP Discovery message 
carrying the subscriber location information to the DHCP 
authentication server. The subscriber location informa- 
tion, such as port information, VPIA/CI and VLAN ID, is 
identified in the option Option82. 
[0113] The DHCP authentication server receives the 
DHCP message relayed by the BRAS, extracts the option 
Option82 and the MAC address of the terminal as the 
identification information, queries a local database, and 
performs an authentication to the identification informa- 
tion of the DHCP client according to the identification 
information saved for a valid subscriber locally. If the au- 
thentication is passed, the DHCP authentication server 
returns a DHCP Offer message to the DHCP client, as 
described in Step 94. 

[0114] Step 94: The DHCP authentication server 
sends a DHCP Offer message to the DHCP client. 
[0115] Step 95: After receiving the DHCP Offer mes- 
sage, the DHCP client sends a DHCP request message 
to the DHCP authentication server. 
[0116] Step 96: The DHCP authentication server as- 
signs the IP address to the DHCP client, and sends the 
IP address to the DHCP client via a DHCP Reply mes- 
sage. 

[0117] Similarly, as described in Step 93 of Figure 9, 
the BRAS inserts the option Option82. In practical appli- 
cation, the option Option82 may also be inserted by an 
access node like DSLAM, while the BRAS only acts as 
the DHCP relay. Other processes are the same as those 
described above. 

[0118] In conclusion, the present invention may en- 
hance the security of the address assignment in DHCP 
mode greatly, and may perform an access authentication 



to a subscriber according to location information, and 
may only assign an IP address to a valid subscriber or a 
valid terminal. Therefore, the attack of malicious address 
use-up may be effectively prevented. Moreover, when 
5 the network attack or other network security problems 
occur, the physical location of the subscriber may be 
traced according to the I P address, so that a hacker may 
be effectively deterred from carrying out an attack activ- 
ity. 

[0119] Additional advantages and modifications will 
readily occur to those skilled in the art. Therefore, the 
present invention in its broader aspects is not limited to 
the specific details and representative embodiments 
shown and described herein. Accordingly, various mod- 
f5 ifications and variations may be made without departing 
from the spirit or scope of the present invention as defined 
by the appended claims and their equivalents. 



1 . A method for realizing a secure assignment of a DH- 
CP address, comprising: 

25 A. sending, by a DHCP client, a DHCP Discov- 

ery message via an access network; 

B. obtaining, by an access network side, identi- 
fication information of the DHCP client and per- 
forming an authentication to the DHCP client 

30 based on the identification information; and 

C. assigning, by a DHCP server, an address to 
the DHCP client has passed the authentication. 

2. The method for realizing the secure assignment of 
35 the DHCP address according to claim 1, wherein, 

the identification information comprises: 

a port number, a circuit number and a connec- 
tion number of the DHCP client. 

40 

3. The method for realizing the secure assignment of 
the DHCP address according to claim 1, wherein, 
the step B comprises: 

45 determining, by an access node or an access 

server in the access network, the identification 
information of the DHCP client according to at 
least one of an ingress port,a circuit information 
and connection information of the DHCP Dis- 
50 covery message. 

4. The method for realizing the secure assignment of 
the DHCP address according to claim 1, 2 or 3, 
wherein, the step B comprises: 

55 

performing, by the access node or the access 
server in the access network, a validity authen- 
tication to the DHCP client according to the iden- 
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tification infornnation of the DHCP client and pre- 
configured identification infornnation for a valid 
subscriber. 

The nnethod for realizing the secure assignnnent of 5 
the DHCP address according to clainn 1, 2 or 3, 
wherein, the step B connprises: 

B1. initiating, by the access node or the access 
server in the access network, an authentication 
request to an authentication server using the 
identification infornnation of the client; and 
82. perfornning, by the authentication server, the 
validity authentication to the client according to 
the identification infornnation saved for a valid ^5 
subscriber 

A DHCP authentication server for realizing a secure 
assignnnent of a DHCP address, connprising a DHCP 
server nnodule, a protocol converting nnodule and an 20 
AAA (Authentication, Authorization and Accounting) 
client nnodule, wherein: 

the DHCP server nnodule is adapted to receive 
a DHCP request nnessage sent by a DHCP client 25 
via an access node or an access server and re- 
spond to the DHCP client with an address as- 
signed to the DHCP client has passed an au- 
thentication, the address is returned by an AAA 
server and received by an AAA client nnodule; 30 
the protocol converting nnodule is adapted to ob- 
tain infornnation needed in AAA authentication 
in a DHCP Discovery nnessage of a correspond- 
ing DHCP client sent from the access node or 
the access server, generate an AAA authenti- 35 
cation nnessage, generate a DHCP Offer nnes- 
sage according to an authentication response 
nnessage received by the AAA client nnodule and 
send the DHCP Offer nnessage; and 
the AAA client nnodule is adapted to connnnuni- 
cate with the AAA server based on the AAA au- 
thentication nnessage generated by the DHCP 
protocol converting nnodule, obtain an authenti- 
cation result of the DHCP client, and deliver the 
authentication result to the protocol converting ^5 
nnodule and the DHCP server nnodule. 

A DHCP authentication server for realizing a secure 
assignnnent of a DHCP address, connprising an au- 
thentication processing nnodule and a DHCP server, 50 
wherein: 

the authentication processing nnodule is adapt- 
ed to obtain identification infornnation of a client 
initiating a DHCP process, perfornn a validity au- 55 
thentication to the client according to identifica- 
tion infornnation saved for a valid subscriber, and 
send a DHCP Discovery nnessage of a DHCP 



client has passed the validity authentication to 
the DHCP server; and 

the DHCP server is adapted to receive the DH- 
CP Discovery nnessage sent by the authentica- 
tion processing nnodule and send a DHCP Offer 
nnessage to the DHCP client, and assign an ad- 
dress to a corresponding DHCP client in an ad- 
dress pool of the DHCP server when the DHCP 
client sends a DHCP request nnessage. 

8. A systenn for realizing a secure assignnnent of a DH- 
CP address, connprising a DHCP client, an access 
network and a DHCP authentication server; wherein 
a DHCP client is adapted to connnnunicate with the 
DHCP authentication server via an access network 
to obtain an address; the DHCP authentication serv- 
er is adapted to perfornn a validity authentication to 
a DHCP Discovery nnessage of the DHCP client ob- 
tained by the access network, and assign the ad- 
dress to the DHCP client has passed the validity au- 
thentication. 

9. A nnethod for realizing a secure assignnnent of a DH- 
CP address, connprises: 

C. receiving, by an access node or an access 
server, the DHCP Discovery nnessage sentfronn 
the DHCP client, and inserting identification in- 
fornnation of the DHCP client into the DHCP Dis- 
covery nnessage and sending the DHCP Discov- 
ery nnessage to a DHCP authentication server; 

D. obtaining, by the DHCP authentication serv- 
er, the identification infornnation of the client fronn 
the DHCP Discovery nnessage; and 

E. perfornning, by the DHCP authentication serv- 
er, a validity authentication to the client using 
the identification infornnation, and only perfornn- 
ing an address assignnnent process on the DH- 
CP client has passed the validity authentication. 

10. The nnethod for realizing the secure assignnnent of 
the DHCP address according to clainn 9, wherein, 
the step Econnprises: 

perfornning, by the DHCP authentication server, 
the DHCP authentication for the DHCP client 
locally according to identification infornnation 
saved for a valid subscriber, and sending the 
DHCP Discovery nnessage of the client has 
passed the DHCP authentication to a DHCP 
server; and perfornning, by the DHCP server, the 
address assignnnent process. 

1 1 . A nnethod for realizing a secure assignnnent of a DH- 
CP address, connprising: 

F. receiving, by an access node or an access 
server, the DHCP Discovery nnessage sentfronn 
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the DHCP client, and inserting identification in- 
fornnation of tine DHCP client into tine DHCP Dis- 
covery nnessage and sending the DHCP Discov- 
ery nnessage to a DHCP authentication server; 

G. obtaining, by the DHCP authentication serv- 5 
er, the identification infornnation of the DHCP cli- 
ent fronn the DHCP Discovery nnessage; 

H. sending, by the DHCP authentication server, 
an authentication request nnessage to an AAA 
server using the identification infornnation, and 
perfornning, by the AAA server, an authentica- 
tion to the identification infornnation of the DHCP 
client and assigning an address to the DHCP 
client has passed the authentication; 

or, 15 
sending, by the DHCP authentication server, the 
authentication request nnessage to the AAA 
server using the identification infornnation, and 
perfornning, by the AAA server, an authentica- 
tion to the identification infornnation of the DHCP 20 
client; assigning, by the DHCP authentication 
server, the address to the client has passed the 
authentication after receiving an authentication 
pass infornnation. 

25 
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50 
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